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Abstract. We study the problem of factoring univariate polynomials over finite fields. 
Under the assumption of the Extended Riemann Hypothesis (ERH), Gao GaoOl designed 
a polynomial time algorithm that fails to factor only if the input polynomial satisfies a 
strong symmetry property, namely square balance. In this paper, we propose an extension 
of Gao's algorithm that fails only under an even stronger symmetry property. We also 
show that our property can be used to improve the time complexity of best determinis- 
tic algorithms on most input polynomials. The property also yields a new randomized 
polynomial time algorithm. 
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1. Introduction 

We consider the problem of designing an efficient deterministic algorithm for factoring 
a univariate polynomial, with coefficients taken from a finite field. The problem reduces in 
polynomial time to the problem of factoring a monic, square-free and completely splitting 
polynomial f(x) with coefficients in a prime field F p (see [B er70| . |LN 94]). Although there 
are efficient polynomial time randomized algorithms for factoring f(x) ([Bcr70], [CZ81j . 
[vzGS92j . |KS 95]). as yet there is no deterministic polynomial time algorithm even under 
the assumption of the Extended Riemann Hypothesis (ERH). In this paper we will assume 
that ERH is true and £i, & > • • • > £n are the n distinct roots of the input polynomial /, 

n 

f(x) = Y[( X ~ &) where & G F p 



In 2001, Gao [GaoOlJ gave a deterministic factoring algorithm that fails to find non- 
trivial factors of / in polynomial time, if / belongs to a restricted class of polynomials, 
namely square balanced polynomials. Motivated by the work of Gao [GaoOlj . we have de- 
fined a proper subclass of square balanced polynomials, namely cross balanced polynomials, 
such that polynomials that are not cross balanced, can be factored deterministically in 
polynomial time, under the assumption of the ERH. 

Our contribution can be summarized as follows. Let / be a monic, square-free and 
completely splitting polynomial in F p [x] with n roots £i, • • • ,£ n - Our factoring algorithm 
uses an arbitrary (but deterministically chosen) collection oik = (nlogp) ^ 1 ' (n = deg(f)) 
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small degree auxiliary polynomials pi(-), ■ ■ ■ ,Pk(-), an d from each pi(-) (1 < I < k) and / it 
implicitly constructs a simple n- vertex digraph Gi such that, (for I > 1) G[ is a subgraph 
(not necessarily a proper subgraph) of Gi-\. A proper factor of / is efficiently retrieved if 
any one of the graphs is either not regular, or is regular with in degree and out degree of 
every vertex less than a chosen constant c. This condition of regularity of all the k graphs 
imposes a tight symmetry condition on the roots of /, and we point out that this may 
be exploited to improve the worst case time complexity of the best known deterministic 
algorithms. Further, we show that if the polynomials pi(-) (1 < I < A;) are randomly chosen 
then the symmetry breaks with high probability and our algorithm works in randomized 
polynomial time. We call the checking of this symmetry condition a balance test. 
We now present a little more details. Define the sets Aj for 1 < i < n as, 

A; = {1 < j < n : j + i, - &) 2 ) = -(£ - &)} 

where a is the square root algorithm described in [GaoOl] (see section [23]) . The polynomial 
/ is called a square balanced polynomial (as in [GaoOl] ) if #Ai = . . . = #A n . For I > 1, 
define polynomial f\ as, 

n 

fl=tl(?-Pl(&) 

i=l 

where pi{.) is an arbitrary but deterministically chosen polynomial with degree bounded by 
{n\ogp) olyl \ Further, pi^.) 7^ Pi 2 (-) for l\ 7^ h, and f\ is taken to be / i.e. pi(y) = y. 
Assume that, for a given k = (nlogp) ^, for every I, 1 < I < k, polynomial fi = ff\ 
where is a square-free and square balanced polynomial and d[ > 0. Later, we show that, 
if // is not of the above form then a proper factor of / can be retrieved efficiently. For each 
polynomial fi, 1 < I < k, define the sets A^ for 1 < i < n as, 

A? } = {1 < j < n : p,(fc) ± Pi{ti\o-{(j>m -Pi{ii)f) = -(Pii^-Pitij))} 
Further, define the sets iteratively over / as, 

D m = A (D 

For/>l, J Df ) = Df^nA? 

If Df ] = cj) for all i, 1 < i < n, then redefine as L>{° = Df~ l \ 

For 1 < I < k, let Gi be a directed graph with n vertices v±, . . . ,v n , such that there is 
an edge from Vi to Vj if and only if j G . Note that, G\ is a subgraph of G/_i for 
1 < I < k. Denote the in degree and out degree of a vertex Vi by indeg{vi) and outdeg(vi), 
respectively. We say that the graph G\ is regular (or t-regular) if indeg{v\) = outdeg{v\) = 
. . . = indeg(v n ) = outdeg(v n ) = t. Call t as the regularity of G7. The following theorem is 
proved in this paper. 

Theorem 1.1. Polynomial f can be factored into nontrivial factors in time I ■ {n\ogp)°^ 
if Gi is not regular for some I, 1 < I < k. Further, if G\, . . . , Gk are all regular and for 
at least [~log 2 re] of the graphs we have Gi 7^ Gi-\ (1 < I < k), then f can be factored in 
k ■ {n\ogp)°^ time. 

Note that, G\ is regular if and only if / is square balanced, as A^ = Aj, for 1 < i < n and 
G\ is in fact a regular tournament. 
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Suppose f(y) splits as f(y) = (y — X) ■ f (y) in the quotient ring R = -£p where X = x 
mod /. Our algorithm iteratively tests graphs G\, G2, ■ ■ ■ so on, to check if any one of them 
is not regular. If at the I th iteration graph Gi turns out to be not regular, then a proper 
factor of / is obtained in polynomial time. However, if Gi is regular, then the algorithm 
returns a nontrivial monic factor gi(y) of f'(y) with degree equal to the regularity of G7. 
Moreover, gi(y) is also a factor of (although may be equal to) gi-i(y), the factor obtained at 
the (I — l) th iteration, and it can be ensured that if gi(y) is a proper factor of gi-\(y) (which 
happens iff G\ 7^ G\-\) then deg(gi(y)) < \ ■ deg{gi-\(y)). Thus, if the graphs repeatedly 
turn out to be regular (which in itself is a stringent condition) and for at least [log 2 n\ 
times it happen that Gi 7^ G^_i, for 1 < I < k, then we obtain a nontrivial linear factor 
g{y) of /'(?/). The element —g(0) defines a nontrivial endomorphism in the ring R, and 
by using a result from [Evd94] (Lemma 9 in |Evd94j ) we can find a proper factor of / in 
polynomial time. Further, if for only e[log 2 n\ times we get Gi 7^ G7-1 (1 < I < k) for some 
e, < e < 1, then we obtain a nontrivial factor g(y) of f'(y) with degree at most 1L 2 — . 
Now if we apply Evdokimov's algorithm ([Evd94]) on g{y) (instead of f'(y)), we can get 

(l-€) 2 - 

a proper factor of / in time (n 2 ogn+e+ci \ Q gpy2 ( Cl anc [ C2 are constants). For most 
polynomials e > (i.e. at least about and this gives an improvement over the time 

complexity of (n2 logn+C1 \ogp) C2 in [Evd94] (ci, c 2 are the same constants). 

Assuming n « p, all the best known deterministic algorithms (e.g. [Evd94], [CHOOJ) 
use computations in rings with large dimensions over F p to get smaller degree factors of 
/'(y). Unlike these approaches, the balance test is an attempt to exploit an asymmetry 
among the roots of the input polynomial to obtain smaller degree factors of f'(y) without 
carrying out computations in rings with large dimensions over F p . This attribute of our 
approach yields a better time complexity for most polynomials in a way as discussed in the 
previous paragraph. 

It is sufficient to choose the auxiliary polynomials pi(y), 1 < I < k, in such a way that 
the graphs, if regular, are not all the same for too long, if their regularities are large. An 
efficient and deterministic construction of such auxiliary polynomials will immediately imply 
that factorization of univariate polynomials over finite fields can be done in deterministic 
polynomial time under ERH. In this paper we assume that the auxiliary polynomials are 
arbitrary but deterministically chosen polynomials with degree bounded by (n logp) *- 1 -*. 
For example, one possibility is to choose pi(y) = y l for 1 < I < k. (In fact, Gao [GaoOl] 
used this choice of auxiliary polynomials to define a restricted class of square balanced 
polynomials called super square balanced polynomials.) We show that, if random choices of 
auxiliary polynomials are allowed then our algorithm works in randomized polynomial time. 
For the graphs to be all regular and equal, the roots of / must satisfy a tight symmetry 
condition (given by equal sizes of all the sets Df , for 1 < i < n and 1 < I < k) and it is 
only then that our algorithm fails to factor /. 

Definition 1.1. A polynomial / is called k-cross balanced, for k > 0, if for every I, 1 < I < k, 
polynomial // = ff l , where fi is a square-free, square balanced polynomial with d\ > 0, and 
graph G\ is regular. 

It follows from the definition that, 1-cross balanced polynomials form the class of square 
balanced polynomials. Let k = (nlogp) ^ be some fixed polynomial in n and log p. A 
polynomial / is called cross balanced if it is fc-cross balanced and regularity of graph G^ is 
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greater than a fixed constant c. From Theorem 11,11 and [Evd94] it follows that, polynomials 
that are not cross balanced can be factored deterministically in polynomial time. 

2. Preliminaries 

Assume that / is a monic, square-free and completely splitting polynomial over F p and 
R = is the quotient ring consisting of all polynomials modulo /. 

2.1. Primitive Idempotents 

Elements xii ■ ■ ■ > Xn °f the ring R are called the primitive idempotents of R if, Y27=i Xi = 
1 and for 1 < i,j < n, Xi ' Xj = Xi if * = J an d otherwise. By Chinese Remaindering 
theorem, R = F p © . . . © F p (n times), such that every element in R can be uniquely 
represented by an ra-tuple of elements in F p . Addition and multiplication between two 
elements in R can viewed as componentwise addition and multiplication of the n-tuples. 
Any element a = (a\, . . . ,a n ) G R can be equated as, a = Y^i=i a iXi where G F p . Let 
g(y) be a polynomial in R[y] given by, 

771 

g(y) = ^7i?/ where ^ G R and 

i=0 
n 

7j = 9ijXj where gij € F p for < i < m and 1 < j < n. 
i=i 

Then g(y) can be alternatively represented as, 

n 7?i 

9(y) = ^2gj(y)Xj where c/j(y) = s ^g ij y t 6 F p [y] for 1 < i < n. 
j=l i=0 

The usefulness of this representation is that, operations on polynomials in R[y] (multi- 
plication, gcd etc.) can be viewed as componentwise operations on polynomials in F p [y}. 

2.2. Characteristic Polynomial 

Consider an element a = Ya=i a iXi £ R where G F p , 1 < i < n. The element 
a defines a linear transformation on the vector space R (over F p ), mapping an element 
(5 6 R to a/3 € i?. The characteristic polynomial of a (viewed as a linear transformation) 
is independent of the choice of basis and is equal to 

71 

c a(y) =Y[(y- a i), 
i=l 

In order to construct c a one can use 1,X,X 2 , . . . ,X n ~ l as the basis in R and form the 
matrix (m^) where a ■ X 3 = Y17=i m ijX l ~ 1 -, rriij € F p , 1 < i,j < n. Then c a can be 
constructed by evaluating det(y ■ I — (rriij)) at n distinct values of y and solving for the n 
coefficients of c a using linear algebra. The process takes only polynomial time. The notion 
of characteristic polynomial extends even to higher dimensional algebras over F p . 
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2.3. GCD of Polynomials 

Let g(y) = YJi=i9i{y)Xi and h(y) = Y^i=i h i(y)Xi be two polynomials in R[y], where 
gi, hi £ F p [y] for 1 < i < n . Then, gcd of g and / is defined as, 

n 

gcd{g,f) = ^2gcd(gi,hi)xi 
i=l 

We note that, the concept of gcd of polynomials does not make sense in general over any 
arbitrary algebra. However, the fact that R is a completely splitting semisimple algebra over 
F p allows us to work component- wise over F p and this makes the notion of gcd meaningful 
in the context. The following lemma was shown by Gao [GaoOlj . 

Lemma 2.1. [GaoOl] Given two polynomials g,h G R[y], gcd(g, h) can be computed in time 
polynomial in the degrees of the polynomials, n and log p. 



2.4. Gao's Algorithm 

(/) 



Let R = ^fry- = F p [X] where X = x mod / and suppose that f(y) splits in R as, 



f(y) = (y ~ X)f'{y). Define quotient ring S as, S = yM = R[Y] where Y = y mod /'. S 
is an elementary algebra over F p with dimension n' = n(n — 1). Gao [GaoOlj described an 
algorithm a for taking square root of an element in S. If p — 1 = 2 e w where e > 1 and w is 
odd, and r/ is a primitive 2 e -th root of unity, then a has the following properties: 

(1) Let hi, ... , fi n i be primitive idempotents in S and a = Ya=1 a *^* ^ & wri ere ai € F p . 

Then, cr(a) = Yh=x °{<h)li>i- 

(2) Let a = r/"6» where € F p with = 1 and < u < 2 e . Then a(a 2 ) = a iff u < 2 e ~ l . 

When p = 3 mod 4, n = —1 and property 2 implies that o~{a 2 ) = a for a E iff a is a 
quadratic residue in i^,. 

Algorithm 1. [GaoOl] 
Input: A polynomial / € F p [x]. 

Output: A proper factor of / or output that "/ is square balanced". 

1. Form X, Y, R, S as before. 

2. Compute C = \{X + Y + a((X - Y) 2 )) G 5. 

3. Compute the characteristic polynomial c(y) of C over R. 

4. Decompose c(y) as c(y) = h(y)(y — X)*, where t is the largest possible. 

5. If h{X) is a zero divisor in R then find a proper factor of /, otherwise output that "/ is 
square balanced" . 

It was shown in [GaoOl] that Algorithm [1] fails to find a proper factor of / if and only 
if / is square balanced. Moreover, it follows from the analysis in [GaoOlj (see Theorem 3.1 
in [GaoOlj ) that, when / is square balanced the polynomial h(y) takes the form, 



Ky) = £ 



i=i 



n 



Xi 



where A» = {j : j / i, a{(^ - ^) 2 ) = - 0)} and # A * = ^ for alU, 1 < i < n. 
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3. Our Algorithm and Analysis 



In this section, we describe our algorithm for factoring polynomial /. We show that the 
algorithm fails to factor / in k ■ (nlogp) ^ time if and only if / is /c-cross balanced and 
regularity of Gk is greater than c. The algorithm involves k polynomials, / = /i, -••,/&, 
where polynomial fi, 1 < I < k, is defined as, 

n 

fi = tl(x-m^i)) 

i=l 

where pi(-) is an arbitrary but deterministically fixed polynomial with degree bounded 
by (nlogp) ^ 1 ) and ^ Pi 2 (-) for l\ ^ fo. The polynomial // can be constructed in 

polynomial time by considering the element Pi(X) in R = ^-jjjy = F p [X], where X = x 
mod /, and then computing its characteristic polynomial over F p . 

Lemma 3.1. If fi is not of the form f\ = ~f\ l , where fi is a square-free, square balanced 
polynomial and d\ > ; then a proper factor of f can be retrieved in polynomial time. 

Proof: By definition, /; = Y12=x i x ~ Pl{€i))- Define the sets Ei, for 1 < i < n, as 
Ei = {1 < j < n : pi(£,j) = Pi(£i)}- Consider the following gcd in the ring R[y], 



g(y) = gcd(pi(y) -pi{X),f{y)) = ^2 



i=X 



Xi 



The leading coefficient of g(y) is a zero-divisor in R, unless #E\ 
Therefore, we can assume that, 

mi 



#E n = di (say). 



■ft = II ( x ~~ 1 where pi(£ 81 ), . . . ,Pi[£a mt ) are all distinct and mi 



3=1 



n 
di 



= fi 1 where fi = (x - pi{£ Sj )) is square-free. 

3=1 

If polynomial // (obtained by square- freeing fi) is not square balanced then a proper factor 
g~i of /; is returned by Algorithm [TJ But then, 

gcd(gi(pi{x))J{x)) = ] [ (x - £j) 



3-Mpi&))=o 



is a proper factor of /. 



Algorithm [T] works with fi = Ilfci \ x ~ Pi(£sj)) as the input polynomial where pz(£ S j)' s are 
distinct and mi = and returns a polynomial hi(y) such that, 



nil 



3=1 



II (y-pi(U) 



r6A 



(0 



(0 



(3.1) 



where s are the primitive idempotents of the ring Ri = Jp -^ J , 
3 (fi) 

{1 < r < m t : r + j,a(( Pl ^ Sj ) - Pi(U)?) = -(Pi(^) ~ P/(U))} 



A 



(/) 
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and = m- ' 2 ~ 1 ^ or 1 — J — m i- Assume that p > n 2 and n is odd, as even degree 

polynomials can be factored in polynomial time. In the following algorithm, parameter k is 
taken to be a fixed polynomial in n and logp and c is a fixed constant. 

Algorithm 2. Cross Balance 

Input: A polynomial / € F p [x] of odd degree n. 

Output: A proper factor of / or "Failure". 

• Choose k — 1 distinct polynomials P2(y), ■ ■ ■ ,Pk(y) with degree greater than unity 
and bounded by a polynomial in n and log p. (We can use any arbitrary, efficient 
mechanism to deterministically choose the polynomials.) Take pi(y) = y. 

• for I = 1 to k do 

[Steps (1) - (2): Constructing polynomial f\ and checking if / can be factored 
using Lemma 13.11 ] 

(1) (Construct polynomial fi) Compute the characteristic polynomial, c a (x), of 
element a = Pi(X) G R, over F p . Then fi = c a (x). 

(2) ( Check if f can be factored) Check if fi is of the form fi = ff 1 , where is a 
square-free, square balanced polynomial and d[ > 0. If not, then find a proper 
factor of / as in Lemma 13.11 

[Steps (3) - (6): Constructing graph Gi implicitly] 

(3) (Obtain the required polynomial from Algorithm 1) Else, fi is square balanced 
and Algorithm [T] returns a polynomial hi(y) = y* + aiy* -1 + ...+«( (as in 
equation 13.11) . where t = m ' 2 ~ and a u G Ri for 1 < u < t. 

(4) (Change to a common ring so that gcd is feasible) Each a u E Ri is a polynomial 
a u (x) 6 F p [x] of degree less than m/. Compute as, a4 = a u (pi(x)) mod /, 
for 1 < u < t, and construct the polynomial h'^y) = y t +a' l y t ~ l + . . -+a' t € R[y]- 

(5) (Construct graph Gi implicitly) If Z = 1 then assign gi(y) = h[(y) e R[y] and 
continue the loop with the next value of I. Else, construct the polynomial 
h[(pi(y)) by replacing y by pi(y) in h t (y) and compute gi(y) as, 

9i(y) = gcd(gi-i(y), h[(pi(y))) € R[y\. 

(6) (Check if Gi is a null graph) Let <7/(y) = Pt , y k + • • • + Po, where t' is the degree 
of gi(y) and j3 u € i? for < -u < t'. If i' = then make <#(y) = gi-\(y) and 
continue the loop with the next value of I. 

[Steps (7) - (8): Checking for equal out degrees of the vertices of graph Gi.] 

(7) (Check if out degrees are equal) Else, t' > 0. If fit' is a zero divisor in R, 
construct a proper factor of / from j3 t i and stop. 

(8) (Factor if out degrees are small) Else, if t' < c then use Evdokimov's algorithm 
[Evd94] on gi(y) to find a proper factor of / in (nlogp) ^ 1 ) time. 



[Steps (9) - (11): Checking for equal in degrees of the vertices of graph G[.] 
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(9) (Obtain the values of a nice polynomial at multiple points) If t! > c, eval- 
uate gi(y) £ R[y] at n ■ t' distinct points yi,---,y n t' taken from F p . Find 
the characteristic polynomials of elements gi(yi) , ■ ■ ■ , gi(y n t') £ R over Fp as 
ci(x), . . . , c nt >(x) £ F p [x], respectively. Collect the terms Cj(0) for 1 < i < nt'. 

(10) (Construct the nice polynomial from the values) Construct the polynomial 
r(x) = x nt ' +rix nt '~ 1 + . . -+r nt r £ F p [x] such that r(yi) = — Cj(0) for 1 < i < nt'. 
Solve for n £ F p , 1 < i < nt', using linear algebra. 

(11) (Check if in degrees are equal) For < i < t', if / 4 (x) divides r(x) then compute 
gcd ( j/^ , f(x)^j £ i^ p [x]. If a proper factor of / is found, stop. Else, continue 
with the next value of I. 



endfor 

• If a proper factor of / is not found in the above for loop, return "Failure". 

Theorem 3.2. Algorithm^ fails to find a proper factor f in k ■ (nlogp) ^ time if and 
only if f is k-cross balanced and regularity of graph Gj~_ is greater than c. 

Proof. We show that, Algorithm [2] fails to find a proper factor of / at the I th iteration of 
the loop iff / is /-cross balanced and regularity of Gi is greater than c. Recall the definitions 



of the sets and D {1) 



A 



(0 



, , 1 < i < n, from section [TJ The set A^ is defined as, 
{1 < j < n : Pim^Pi^^^Pi^-pidi)) 2 ) = -ipm-Pidi))} 



And set Df^ is defined iteratively over / as, 



D 

For I > 1, D 
If D 



{1) 
(i) 

i 

(I) 



<p for all i, 1 < i < n, then D- is redefined as Df^ 

i(0 



D 



(l-i) 



Graph G\ , with n vertices v±, . . . ,v n , has an edge from V{ to Vj iff j £ D\ 

Algorithm [5] fails at the first iteration (/ = 1) if and only if / is square balanced. In 



this case, = A\ L> = Aj, the polynomial g±(y) is, 



gi(y) = Ky) = 



i=i 



n - & 



Xi 



and G\ is regular with in degree and out degree of a vertex Vi equal to = #Aj = 

Thus, polynomial / is 1-cross balanced and deg(g\(y)) = ^h- If Algorithm [2] fails at the 
I th iteration, then we can assume that the polynomials / = fx, ■ ■ ■ , fl are square free and 
square balanced (by Lemma [37T]) . 

■J>j(6»i)) 



Suppose that, Algorithm [2] fails at the I iteration. Then, fi = Yl 



3=1 



IS 



square free and square balanced, and Algorithm Q] returns the polynomial h[(y) € Ri[y] such 
that, 



hi(y) = J2 



(0 



(3.2) 
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where x^'s are the primitive idempotents of the ring Ri = ^fj^- and, 



(fi) 



A { ? ={\<r< mi :r + j, <r((p,(&J - PiiU)? 



Let, hi(y) = y l + a±y f 1 + . . . + a t , where t = m ' 2 1 and a u G Ri for 1 < u < t. Each 

a u G Ri is a polynomial a u (x) G i^[a;] with degree less than and if a u = ]Cj=i a ujXp 
for a u j G F p , then by Chinese Remaindering theorem (and assuming the correspondence 
between an d the factor (x — pi(£ Sj )) of f{) we get, 

<y-u{x) = q(x)(x — Pi(£ S j)) + a uj for some polynomial q(x) G F p [x] 
=>a u (pi(x)) = q(pi(x))(pi(x) - piitsj)) + a uj 

a u (pi(x)) = a uj mod (a; - £) for every £ G • • • , £«} such that = pi(£ Sj ) 

Suppose that, for a given i (1 < i < n), j(i) (1 < < mi) is a unique index such that, 
Pl(£i) = Pi(£,s j(i) )- Then, the polynomial a' u (x) = a u (pi(x)) mod / has the following direct 
sum (or canonical) representation in the ring R, 



i=l 



This implies that the polynomial h[{y) = y l + ct x y l 1 + . . . + a' t G R[y] has the canonical 
representation, 



h'i(y) = £ 



i=i 



II (y-w(6 r )) 



reA« 



Hi) 



Xi 



Inductively, assume that gi-\{y) has the form, 



Then, 



9l(y) 



Therefore, 



9l-i 



(y) = E 



i=l 



II (*-& 



(i-1) 



Xi 



gcd (gi-i(y),h\(pi(y))) 
( 



^2 gcd 



\ 



II (v-Zj), II (Pi(y)-w(U)) 



Xi 



= E 



II (v - 0) 



iGDf-^nAf) 



X* (as r G A$ } ^ s r G A^) 



(y) = E 



i=l 



n (v-&) 



(0 



Xi 



= /W + . . . + A) (say) 



(3.3) 
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where t' 



max; 



#DfA and (3 U £ R for 1 < u < t' < 2=1. The element @ t , is not a 

zero divisor in R if and only if jfcD-p = . . . = #Dn = t'. If t' < c then a factor of / can 
be retrieved from gi(y) in polynomial time using already known methods ( |Evd94| ) . The 

condition #-D| = t' for all «, 1 < i < t', makes the out degree of every vertex in Gi equal 
to £'. However, this may not necessarily imply that the in degree of every vertex in Gi is 
also t' . Checking for identical in degrees of the vertices of Gi is handled in steps (9) — (11) 
of the algorithm. Consider evaluating the polynomial gi(y) at a point y s £ F } 



v 



9l(Vs) = 



i=i 



n (v.-*. 



The characteristic polynomial of gi(y s ) over F p is, 

n ( 



C, [X 



-Cs(0) 



n 

i=i 

n 



V 



a) 



J 



W {Vs — £,j) kj (since n is odd) 
j'=i 



x nt' + riX nt'-l + _ _ _ + g PL] 



where kj is the in degree of vertex Vj in Gi. Let r(x) 
be a polynomial of degree nt', such that, 

n 

r(y s ) = -c s (0) = U^-^ k3 

3=1 

for nt' distinct points {y s }i<s<nt' taken from F p . Since we have assumed that p > n 2 > 
n<yTl 2 ^ > nt', we can solve for the coefficients n, . . . , r nf / using any nt' distinct points from 
F p . Then, 

n 

r(x) = H(x-£ J p 

3=1 

If fcj ^ t' for some j, then there is an i = min{k\, . . . , k n } < t' such that f l (x) divides r{x) 

and gcd (^ f^) > f( x )^j yields a nontrivial factor of f(x). This shows that the graph Gi is 

regular if the algorithm fails at the I th step. Since deg(gi(y)) equals the regularity of Gi, 
hence if the latter quantity is less than c then we can apply Evdokimov's algorithm [Evd94j 
on gi(y) and get a non trivial factor of / in polynomial time. ■ 

Let Hi (1 < I < k) be a digraph with n vertices v\,...,v n such that there is an edge 
from Vi to Vj iff j G A®. Then, graph G/ = G,_i n flj or d = G t ^ (if G^ nff, = $, 
where $ is the null graph with n vertices but no edge) . Here n denotes the edge intersection 
of graphs defined on the same set of vertices. Algorithm [2] fails to find a proper factor of / 
in polynomial time if and only if there exists an I < k such that Gi is t-regular (t > c) and 
Gi fl Hj = Gi or $ for all j, I < j < k. It is therefore important to choose the polynomials 
Pj(-) in such a way that very quickly we get a graph Hj with Gi n i/j ^ Gi or We say 
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that a polynomial pi(-) is good if either Hi is not regular or G\ ^ G7-1 (1 < I < k). We 
show that, only a few good polynomials are required. 

Lemma 3.3. Algorithm^ (with a slight modification) requires at most [log 2 n.] good auxil- 
iary polynomials to find a proper factor of f . 

Proof. Consider the following modification of Algorithm [2j At step 5 of Algorithm [21 
for I > 1, take g t (y) to be either gcd(gi-x(y) , h'^p^y))) or g l _ 1 (y)/gcd(gi-i(y),h' l (pi{y))), 
whichever has the smaller nonzero degree. Accordingly, we modify the definition of graph 

Gi. Define the set A[ l) (1 < % < n) as, 

A« = { i < j < n . j + i^dp^-pi^)) 2 ) = (pi(Si)-pi&))} = {^<3<n:j + i}-A^ 
and modify the definition of the sets (1 < i < n) as, 
D V = A (1) 

For I > 1, Dt® = D«-V n if 9l (y) = gcd{ gi ^{y) Mpi{v))) 

= A ( ^ 1} n Af else if 9l (y) = gi-i(y)/gcd(jgi-i(y), Kfaiv))) 

As before, an edge (vi,Vj) is present in Gi iff j G Df\ This modification ensures that, if 
9i(y) 7^ 9l-l{y) h- as an invertible leading coefficient (i.e if gi{y) is monic) then the degree 
of gi(y) is at most half the degree of gi-\{y). Hence, for every good choice of polynomial 
Pl(-) if C7/_i and Gi are ^_i-regular and t;-regular, respectively, then ti < Therefore, 
at most [log 2 n] good choices of polynomials pi(-) are required by the algorithm. ■ 

Theorem 11.11 follows as a corollary to Theorem 13.21 and Lemma [3.31 As already pointed 
out in section Q3 if only e [log 2 n\ good auxiliary polynomials are available for some e, 
< e < 1, then we obtain a nontrivial factor g{y) of f'(y) with degree at most If 
we apply Evdokimov's algorithm on g(y) instead of f'(y), then the maximum dimension of 

the rings considered is bounded by n ( 2' i°g™+ e +0(i) instead of n~ 2 (as is the case 

in [Evd94] ). 

In the following discussion we briefly analyze the performance of Algorithm [2] based 
on uniform random choices of the auxiliary polynomials P/(.) (1 < I < k). The proofs are 
omitted. 

9 ( X I of l)) n 

Lemma 3.4. If p = 3 mod 4 and p > n°2 t/ien about v ^ fraction of all completely 
splitting, square-free polynomials of degree n are square balanced. 

Corollary 3.5. If p = 3 mod 4, p > n 6 2 2n and is a uniformly randomly chosen 

polynomial of degree (n — 1) i/ien i/ie probability that fi is either not square-free or is a 
square-free and square balanced polynomial is upper bounded by - '" J 1 1 



It follows that, for p = 3 mod 4 and j? > n 6 2 2n , if the auxiliary polynomials p;(-)'s 
are uniformly randomly chosen then Algorithm [2] works in randomized polynomial time. 
However, the arguments used in the proof of Lemma 13.41 do not immediately apply to the 
case p = 1 mod 4. Therefore, we resort to a more straightforward analysis, although in the 
process we get a slightly weaker probability bound. 
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Lemma 3.6. If Gi (1 < I < k) is regular and pi+i(y) € F p [y] is a uniformly randomly 
chosen polynomial of degree (n — 1) then G7/+i ^ G\ with probability at least 1 — 2 n.i}n-'2 ■ 

Thus, if polynomials pi(y), 1 < I < [log 2 n\ , are randomly chosen, then the probability that 
/ is not factored by Algorithm [2] within [~log 2 n\ iterations is less than ^afn-J • 

4. Conclusion 

In this paper, we have extended the square balance test by Gao |Gao01] and showed a 
direction towards improving the time complexity of the best previously known deterministic 
factoring algorithms. Using certain auxiliary polynomials, our algorithm attempts to exploit 
an inherent asymmetry among the roots of the input polynomial / in order to efficiently 
find a proper factor. The advantage of using auxiliary polynomials is that, unlike [Evd94], 
it avoids the need to carry out computations in rings with large dimensions, thereby saving 
overall computation time to a significant extent. Motivated by the stringent symmetry 
requirement from the roots of /, we pose the following question: 

• Is it possible to construct good auxiliary polynomials in deterministic polynomial 
time? 

An affirmative answer to the question will immediately imply that factoring polynomials 
over finite fields can be done in deterministic polynomial time under ERH. 
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